The Online Privacy Act of 2021, New Proposed Law
As data privacy continues to be an ever-growing issue in our current age of digital communication, nations around the world have enacted new laws geared toward protecting the personal information of their respective citizens. Subsequently, while the U.S. has yet to pass a comprehensive data protection law at the federal level, there are several other proposed laws that are currently being considered. Likewise, The Online Privacy Act of 2021, a data privacy law that was first introduced in 2019, was reintroduced by U.S. Reps. Anna G. Eshoo (CA-18) and Zoe Lofgren (CA-19) on November, 18, 2021.
Otherwise known as H.R. 6027, the law would serve “To provide for individual rights relating to privacy of personal information, to establish privacy and security requirements for covered entities relating to personal information, and to establish an agency to be known as the United States Digital Privacy Agency to enforce such rights and requirements, and for other purposes.” Likewise, the law would place new obligations on businesses and organizations that collect the personal data of American citizens, as well as provide said citizens with various rights concerning their personal privacy.
How is personal data defined under the law?
Under the proposed Online Privacy Act of 2021, personal information is defined as “any information maintained by a covered entity that is linked or reasonably linkable to a specific individual or a specific device, including de-identified personal information and the means to behavioral personalization created for or linked to a specific individual.” Alternatively, the term personal information does not include “(i) publicly available information related to an individual; or (ii) information derived or inferred from personal information, if the derived or inferred information is not linked or reasonably linkable to a specific individual.”
What are the proposed provisions of the law?
Much like other prominent data privacy laws that have been passed by government institutions in other countries in the past decade, including the EU’s General Data Protection Regulation (GDPR), among others, the Online Privacy Act of 2021 would establish a number of requirements that businesses would be responsible for adhering to when collecting, processing, transferring, retaining, or disclosing the personal information of American citizens. For instance, the law states that businesses looking to collect personal data from an individual within the U.S. must have a reasonable and articulated basis for doing so.
Conversely, the law also forbids businesses from processing the personal information of data subjects within the U.S. for any purpose other than what was stated to an individual at the time in which their data was collected. Furthermore, businesses are also prohibited from retaining the personal data of an American citizen “once such information is no longer needed for the purpose for which such information was originally collected from the individual or in the case of a service provider, a purpose other than that which is in accordance with the directions of a covered entity.”
What are the rights of U.S. citizens under the law?
On the other hand, the proposed Online Privacy Act of 2021 also affords American citizens a number of rights as it relates to the protection of their personal information and by extension, their personal privacy. These rights include the following:
- The right of access.
- The right of correction.
- The right of deletion.
- The right of portability.
- The right to be informed.
- The right to human review of automated decisions.
- The right to individual autonomy.
- The right to impermanence.
Contrarily, as it relates to the enforcement of the law, the Online Privacy Act of 2021 would also establish “an agency to be known as the United States Digital Privacy Agency to enforce such rights and requirements, and for other purposes.” To this point, the appointed Director of this agency would be charged with enforcing the numerous provisions of the law. This being said, the law states that “the Agency may commence a civil action against such person to impose a civil penalty or to seek all appropriate legal and equitable relief, including a permanent or temporary injunction.”
Due to the fact that the current data privacy landscape within the U.S. is segmented into a multitude of different laws that pertain to specific sectors of business, such as the Health Insurance Portability and Accountability Act (HIPAA), in addition to many others, passing a single law that would protect the privacy of all Americans across the nation’s 50 states has proven to be an extremely difficult task in practice. For this reason, despite the fact that the Online Privacy Act of 2021 would not provide as much protection as laws such as the EU’s GDPR, the enactment of such legislation would nonetheless represent a positive development.